Vienna
Vienna is a DOS .com-infecting virus based on Christmas from the late 1980's. Its source code was published many times, accounting for its hundreds of variants. Payload Vienna is a non-resident, direct-action .com infector. When a file infected with the virus is run, it searches for .com files on the system and infects one of them. The seconds on the infected file's timestamp will read "62", an impossible value, making them easy to find. One of six to eight of the files will be destroyed when Vienna tries to infect them by overwriting the first five bytes with the hex character string "EAF0FF00F0", instructions that will cause a warm reboot when the program is run. These files will not actually contain the Vienna virus, they are just corrupted by it. Removal Use F-Prot, NAV or delete the infected files. Creator The creator of the Vienna virus has never been revealed. Some sources say that the virus was created by a Vienna high school student as an experiment. The first person to detect the virus was Franz Swoboda. Information was leaked that Swoboda received the virus from Ralf Burger, but Burger claimed that he received the virus from Swoboda. Ralf Burger did create a variant that caused the computer to hang rather than a reboot. Variants Vienna.Choinka This variant, sometimes also known as Father Christmas is 1,881 bytes long and possibly comes from Poland. It also contains a Christmas greeting that takes up a greater part of its length. Vienna.Gympel This variant likely comes from Slovakia, as it contains text in the Slovak language that says, "Gympel je tycka." (Highschool is a throw-up.) It may sometimes be detected as Vienna.843, or 833. Iraqui Warrior This variant is 777 bytes long and contains the message: I come to you from The Ayatollah! ©1990, VirusMasters An Iraqui Warrior is in your computer This variant contains an error that prevents it from reproducing beyond the first generation. Vienna.Lisbon The Lisbon variant was discovered in Portugal. It was likely reassembled to throw off some antivirus programs. When this variant destroys a file, it overwrites the beginning with "@AIDS". Vienna.Monxla/Interceptor Monxla and Interceptor (one or both of them may also go by the alias Time) have different effects on the computer depending on the time that they are executed. The Monxla.A subvariant is 939 bytes long, Monxla.B is 535 bytes long and Interceptor is 1,014. Vienna.NewVienna This variant comes from Bulgaria. It has a shorter infection than the original and has a payload that formats the hard drive. Vienna.NTKC This is the largest file-infecting virus currently known. Aside from that, there is nothing really different about it from other Vienna variants. Vienna.Reboot This variant overwrites .com files with a program that causes the computer to reboot when the file is run. Such files cannot be cleaned, they need to be deleted and reinstalled. Vienna.Violator/Arf/Christmas Violator/Baby These variants are likely coded the same creator, as they have a great deal of code in common. The 1,055-byte Violator variant contains text that says: TransMogrified ™ 1990 by RABID N'tnl Development Corp. Copyright © 1990 RABID ! Activation Date: 08/15/90 - Violator Strain B (Field Demo Test Version) *NOT TO BE DISTRIBUTED* While the words "Violator Strain B" may indicate a previous variant, none has yet been found. A later variant weighing in at 5,302 bytes known as Christmas Violator displays a Christmas greeting: Violator Strain B4 - Written by The RABID Nat'nl Development Corp. RABID would like to take this opportunity to extend it's sincerest holiday wishes to all Pir8 lamers around the world! If you are reading this, then you are lame!!! Anyway, to John McAffe! Have a Merry Christmas and a virus filled new year. Go ahead! Make our day! Remember! In the festive season, Say NO to drugs!!! They suck ****! (Bah! We make a virus this large, might as well have something positive!) Another variant, Arf, displays the text "Arf, Arf! Got you!", when it activates. Baby, which is about 1,000 bytes long, allows the user to specify the activation date and the text message to display. Vienna.W13 The Vienna.W13 variant marks infected files with a month number of 13 rather than a seconds value of 62. Other Variants *Vienna.Ambalama *Vienna.Angel *Vienna.BboDong *Vienna.Bloodspill *Vienna.BNB *Vienna.Born *Vienna.Bua *Vienna.BY *Vienna.ByteWarrior *Vienna.Cracky *Vienna.DDrUS *Vienna.DearUser *Vienna.Dr. Q *Vienna.Ender *Vienna.Feliz *Vienna.Genny *Vienna.Grither *Vienna.Gustav *Vienna.Hybryd *Vienna.IRA *Vienna.Kuzmitch *Vienna.Maxwell *Vienna.Norilsk *Vienna.Oscar *Vienna.Parasite *Vienna.Pivi *Vienna.Saigon *Vienna.SDI *Vienna.Sector *Vienna.Skate *Vienna.SPb *Vienna.Sunday *Vienna.TheseDays *Vienna.Viperize *Vienna.Westmont Other Facts The Vienna virus source code was published in many places, including Ralf Burger's book "Computer viruses: A High-Tech Disease", giving rise to its many variants. Vienna became the first virus to be destroyed by an antivirus program. Rolf Burger sent a copy of the virus to Bernt Fix, who managed to neutralize the virus. Sources F-Secure ComputerVirus Information Pages, Vienna McAfee Antivirus. Vienna Virus List, "History of Malware, 1987". Computer Knowledge, Dr. Solomon: 1986-1987 - The Prologue Eset.com Vienna Ralf Burger. Computer Viruses: A High-Tech Disease. 1988 Abacus (United Kingdom). ISBN 1557550433 Media Category:Virus Category:DOS Category:DOS virus Category:Virus from 1980s Category:Assembly